chore(security): land OpenSSF Scorecard hardening recipe (RAN-51)#82
Merged
chore(security): land OpenSSF Scorecard hardening recipe (RAN-51)#82
Conversation
- Add .github/workflows/security.yml — OSS-CLI stack (Semgrep, osv-scanner, Trivy, Gitleaks, jscpd, anchore/sbom-action), language-adapted for Go + React/TS, all actions SHA-pinned. - Realign scorecard.yml with the codeiq RAN-46 recipe: push-to-main + weekly cron + workflow_dispatch, step-security/harden-runner audit, SARIF -> Security tab, all actions SHA-pinned. - SECURITY.md gains a "Hardening references" section linking the scorecard, security, codeql, and dependabot configs plus .bestpractices.json (project 12628 — passing). - CLAUDE.md gains a "Security & Supply-Chain" section documenting the Scorecard baseline + target (Best Practices passing = hard gate; Scorecard observational with stretch >= 8.0/10 per board ruling). - .bestpractices.json gains the OpenSSF schema header (project_id 12628, level=passing, evidence map, audit metadata) on top of the existing per-criterion answers. Out-of-band repo settings flipped to satisfy the AC: - Branch protection on main: required_signatures enabled. - Repo-level Dependabot security updates: enabled. Recipe-validation lane for RAN-50 — replicates next to otelcontext, snipIT, vigil. Per-language deltas vs codeiq: - osv-scanner runs against go.mod + ui/package-lock.json. - semgrep adds p/golang and p/typescript; drops p/java. - jscpd targets cmd/ + internal/ + ui/src; format go,javascript,typescript. Co-Authored-By: Paperclip <noreply@paperclip.ing>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Recipe-validation lane for RAN-51 (parent: RAN-50) — lands the per-project supply-chain hardening kit on docsiq before it fans out mechanically to otelcontext, snipIT, and vigil. Mirrors the codeiq RAN-46 recipe.
.github/workflows/security.yml(new) — OSS-CLI stack (Semgrep + osv-scanner + Trivy + Gitleaks + jscpd +anchore/sbom-action), language-adapted for Go + React/TS, all actions SHA-pinned, top-levelpermissions: read-all..github/workflows/scorecard.yml— realigned to the codeiq RAN-46 recipe:push: [main]+ weekly cron +workflow_dispatch,step-security/harden-runneraudit egress, SARIF → Security tab, all actions SHA-pinned. (Previous bespokeworkflow_run/branch_protection_ruletriggers dropped so the four pending repos can take this file verbatim.)SECURITY.md— adds a "Hardening references" section linking scorecard.yml, security.yml, codeql.yml, dependabot.yml, and.bestpractices.json(project 12628, badge: passing).CLAUDE.md— adds a "Security & Supply-Chain" section documenting the Scorecard baseline + target (Best Practicespassingis the hard gate; Scorecard observational with stretch ≥ 8.0/10 per the RAN-50 board ruling)..bestpractices.json— adds the OpenSSF schema header (project_id: 12628,level: passing, evidence map, audit metadata) on top of the existing per-criterion answers.Out-of-band repo settings (already applied via
gh api)These satisfy the AC but live outside the diff:
main→required_signatures.enabled = true(wasfalse).enabled(wasdisabled).Docs IQ→codebase.repoUrl = https://github.com/RandomCodeSpace/docsiq.git,defaultRef = main(was bothnull).Per-language deltas vs codeiq RAN-46
--lockfile=go.mod+--lockfile=ui/package-lock.json(codeiq is npm-only becausepomxmlplugin hitsdeps.dev).p/security-audit + p/owasp-top-ten + p/golang + p/typescript(dropsp/java).cmd internal ui/src,--format go,javascript,typescript, ignores*_test.go,e2e/,vendor/.Will fold these per-language deltas back into
shared/runbooks/engineering-standards.mdafter the four-repo fan-out so the runbook captures the validated matrix.Test plan
ci.yml,codeql.yml, the newsecurity.ymljobs (osv-scanner, trivy, semgrep, gitleaks, jscpd, sbom).scorecard.ymltriggers on this PR's main push and uploads SARIF to the Security tab.README.mdcontinues to renderpassingagainst project 12628.mainenforces signed commits — verified before opening this PR (gh api .../required_signatures→enabled: true).🤖 Generated with Claude Code